Alerts

Updates to Data Transfer Agreements – 21 September Deadline is Approaching

June 24, 2022

The EU General Data Protection Regulation (“GDPR”), and equivalent legislation in effect in the UK, restrict transfers of personal data from the European Union and the United Kingdom.

Firms with operations in the UK or EU are often required to transfer personal data internationally. For example, such firms may be sharing personal data relating to their employees, clients or investors with a group affiliate in the United States or another non-EU/non-UK jurisdiction. EU and UK businesses may also enter into service provider agreements with vendors based outside their jurisdiction which involve handling or storage of personal data by such service providers (e.g. CRM, cloud storage, employee benefits, payroll, travel services or regulatory technology services). In some cases, firms outside the UK/EU may also be required to enter into data transfer agreements with their clients, investors or portfolio companies established in the UK or EU (e.g. in the context of sharing KYC data or monitoring the operations of an investee company).

As a result of recent changes to the rules on international transfers of data, businesses currently relying on standard contractual clauses to transfer personal data from the UK and EU will need to update their data transfer agreements in the near term.

New EEA SCCs

On June 4, 2021, the EU’s executive branch, the European Commission, adopted two sets of Standard Contractual Clauses [1] – one for use between controllers and processors[2] and the other for the transfer of data between the European Economic Area (the “EEA”) and non-EEA countries (collectively, the “New EEA SCCs”)[3] under the GDPR. The New EEA SCCs reflect the GDPR requirements applicable to the appointment of “data processors”, as well as the Schrems II decision, as it relates to the additional safeguards applicable to cross-border transfers of personal data. The New EEA SCCs, which went into effect on June 27, 2021, replace the Standard Contractual Clauses adopted in 2001, 2004 and 2010 (the “Old SCCs”) and introduce new obligations on data transfers.

The Old SCCs were common mechanisms for cross-border personal data transfers to countries outside the EEA, that are not considered to provide equivalent data protection as under the GDPR (that is, countries not subject to an “adequacy” decision by the European Commission).

The New EEA SCCs address the concerns articulated in the Schrems II decision, which found that the Old SCCs were valid, but were not an adequate data transfer mechanism unless they were coupled with transfer impact assessments and certain supplementary measures. To address these concerns, the New EEA SCCs expand obligations for data exporters and importers, strengthen the security measures requirements, impose limitations on disclosing personal data to public authorities, stipulate stronger data subject protection and include impact assessment and audit obligations. The New EEA SCCs retain and expand on the old modular structure applicable to specific transfer scenarios, including controller-to-controller transfers (Module 1), controller-to-processor transfers (Module 2), processor-to-processor transfers (Module 3) and processor-to-controller transfers (Module 4), as well as offering the options to have multiple data exporting parties and add new parties over time.

Compliance with the New EEA SCCs for any new data exports from the EEA has been required since 27 September 2021. Any Old SCCs entered into before that date must be replaced with the New EEA SCCs by 27 December 2022, or earlier if there is a change in the underlying data processing or transfer practices.

UK Data Transfer Agreement

In the UK, new forms of International Data Transfer Agreement (“IDTA”)[4] and IDTA Addendum (“Addendum”) came into effect on 21 March 2022, subject to transitional provisions.

UK exporters of personal data to third countries (such as the United States) that are not covered by an adequacy decision will be able to choose between the IDTA and the Addendum to transfer personal data outside the UK. The IDTA is designed as a form of agreement for exporting data solely from the UK, whereas the Addendum is intended as an add-on to simplify contract documentation for exporters making data transfer out of both the EEA and UK. The UK Information Commissioner’s Office has also updated its “Guide to UK GDPR” to explain the requirements for restricted transfers of data.

A transitional period through to 21 March 2024 applies to contracts entered into before 21 September 2022[5].

UK/EU data exporters should review their data transfer agreements now

Despite the transitional period, UK firms transferring personal data overseas should consider switching to the new IDTA or Addendum now to manage the risk of non-compliance, especially if the data transfers are likely to continue beyond 21 March 2024. There are several compelling reasons to do so. For example, firms currently relying on the Old SCCs will need to ensure that appropriate supplementary controls are in place to comply with the conditions laid out in Schrems II. UK/EU data exporters relying on the Old SCCs to export data from both UK and EEA will not be able to use these after 27 December 2022, as the New EEA SCCs must be used for exporting EEA data. Separately, if the data processing operations change, the new standards must be applied immediately.

Data exporters should review any contractual relationships that rely on the Old SCCs and devise the strategy for prioritising the required updates. The description (including personal data categories) and the purpose of the transfer should be reviewed at the same time, as these may have changed since the contract was first executed. In some cases, it may no longer be necessary to continue transferring personal data, and as such, the data transfer arrangements should be terminated. For any new contracts, given the upcoming deadline of 21 September 2022, firms should begin utilising the IDTA now or, for transfers involving both UK and EEA personal data, a combination of New EEA SCCs and the Addendum.

Authored by Alexander Kim, Kelly Koscuiszka, Anna Maleva-Otto and David Soerensen.

If you have any questions concerning this Alert, please contact your attorney at Schulte Roth & Zabel or one of the authors.

[1] Standard Contractual Clauses (SCC) | European Commission (europa.eu).

[2] Commission Implementing Decision (EU) 2021/915 of 4 June 2021 on SCCs between controllers and processors under Article 28(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29(7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council.

[3] Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on SCCs for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

[4] International Data Transfer Agreement and Guidance.

[5] See scc-transitional-provisions.pdf (ico.org.uk).

This communication is issued by Schulte Roth & Zabel LLP and Schulte Roth & Zabel International LLP for informational purposes only and does not constitute legal advice or establish an attorney-client relationship. In some jurisdictions, this publication may be considered attorney advertising. ©2022 Schulte Roth & Zabel LLP and Schulte Roth & Zabel International LLP.